Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3
IP Addressing and Services Commands: D through H
Download this chapter
IP Addressing and Services Commands: D through HIP Addressing and Services Commands: D through H
Download the complete book
Book-level PDF: Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3 Book-level PDF: Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3 (PDF - 3 MB)
give_us_feedback

Table Of Contents

default-router

delay (tracking)

delay (virtual server)

deny (IP)

dns-server

domain-name (DHCP)

dynamic

faildetect

forwarding-agent

glbp authentication

glbp forwarder preempt

glbp ip

glbp load-balancing

glbp preempt

glbp priority

glbp timers redirect

glbp timers

glbp weighting track

glbp weighting

hardware-address

host


default-router

To specify the default router list for a Dynamic Host Configuration Protocol (DHCP) client, use the default-router command in DHCP pool configuration mode. To remove the default router list, use the no form of this command.

default-router address [address2...address8]

no default-router

Syntax Description

address

Specifies the IP address of a router. One IP address is required, although you can specify up to eight addresses in one command line.

address2...address8

(Optional) Specifies up to eight addresses in the command line.


Defaults

No default behavior or values.

Command Modes

DHCP pool configuration

Command History

Release
Modification

12.0(1)T

This command was introduced.


Usage Guidelines

The IP address of the router should be on the same subnet as the client subnet. You can specify up to eight routers in the list. Routers are listed in order of preference (address1 is the most preferred router, address2 is the next most preferred router, and so on).

Examples

The following example specifies 10.12.1.99 as the IP address of the default router: 

default-router 10.12.1.99

Related Commands

Command
Description

ip dhcp pool

Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.


delay (tracking)

To specify a period of time to delay communicating state changes of a tracked object, use the delay command in tracking configuration mode. To disable the delay period, use the no form of this command.

delay {up seconds down seconds | up seconds | down seconds}

no delay {up seconds down seconds | up seconds | down seconds}

Syntax Description

up

Specifies the up delay.

down

Specifies the down delay.

seconds

Delay value in seconds.


Defaults

No default behavior or values

Command Modes

Tracking configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

This command is available to all tracked objects.

Examples

In the following example, the tracking process is tracking the IP route metric threshold. The delay period to communicate the changes of the tracked object to the client process is set to 30 seconds. 

track 1 ip route 10.22.0.0/16 metric threshold

 threshold metric up 16 down 20 

 delay down 30

delay (virtual server)

To change the amount of time IOS Server Load Balancing (IOS SLB) maintains TCP connection context after a connection has terminated, use the delay command in SLB virtual server configuration mode. To restore the default delay timer, use the no form of this command.

delay {duration | radius framed-ip duration}

no delay {duration | radius framed-ip duration}

Syntax Description

duration

Delay timer duration for TCP connection context, in seconds. The valid range is 1 to 600 seconds. The default value is 10 seconds.

radius framed-ip duration

Delay timer for RADIUS framed-ip sticky database, in seconds. The valid range is 1 to 600 seconds. The default value is 10 seconds.


Defaults

The default duration for the TCP connection context is 10 seconds.
The default duration for the RADIUS framed-ip sticky database is 10 seconds.

Command Modes

SLB virtual server configuration

Command History

Release
Modification

12.0(7)XE

This command was introduced.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.

12.2

This command was integrated into Cisco IOS Release 12.2.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.1(18)E

The radius and framed-ip keywords and the duration argument were added.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.


Usage Guidelines

The TCP connection context delay timer allows out-of-sequence packets and final acknowledgments (ACKs) to be delivered after a TCP connection ends. Do not set this value to zero (0).

If you are configuring a TCP connection context delay timer for HTTP flows, choose a low number such as 5 seconds as a starting point.

For the Home Agent Director, the delay command has no meaning and is not supported.

Examples

The following example specifies that IOS SLB maintains TCP connection context for 30 seconds after a connection has terminated: 

Router(config)# ip slb vserver PUBLIC_HTTP

Router(config-slb-vserver)# delay 30

Related Commands

Command
Description

show ip slb vservers

Displays information about the virtual servers defined to IOS SLB.

virtual

Configures the virtual server attributes.


deny (IP)

To set conditions in a named IP access list that will deny packets, use the deny command in access list configuration mode.To remove a deny condition from an access list, use the no form of this command.

[sequence-number] deny source [source-wildcard]

[sequence-number] deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

no sequence-number

no deny source [source-wildcard]

no deny protocol source source-wildcard destination destination-wildcard

Internet Control Message Protocol (ICMP)

[sequence-number] deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Internet Group Management Protocol (IGMP)

[sequence-number] deny igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Transmission Control Protocol (TCP)

[sequence-number] deny tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

User Datagram Protocol (UDP)

[sequence-number] deny udp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Syntax Description

sequence-number

(Optional) Sequence number assigned to the deny statement, causing the system to insert the statement in that numbered position in the access list.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

protocol

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines" of the access-list (IP extended) command.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.

time-range time-range-name

(Optional) Name of the time range that applies to this deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

fragments

(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.

TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.


Defaults

There is no specific condition under which a packet is denied passing the named access list.

Command Modes

Access list configuration

Command History

Release
Modification

11.2

This command was introduced.

12.0(1)T

The time-range time-range-name keyword and argument were added.

12.0(11) and 12.1(2)

The fragments keyword was added.

12.2(13)T

The igrp keyword was removed because the IGRP protocol is no longer available in Cisco IOS software.

12.2(14)S

The sequence-number argument was added.

12.2(15)T

The sequence-number argument was integrated into 12.2(15)T and the igrp keyword was removed.


Usage Guidelines

Use this command following the ip access-list command to specify conditions under which a packet cannot pass the named access list.

The time-range option allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this deny statement is in effect.

Access List Processing of Fragments

The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:

If the Access-List Entry has...
Then..

...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,

For an access-list entry containing only Layer 3 information:

The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information:

The entry is applied to nonfragmented packets and initial fragments.

If the entry is a permit statement, the packet or fragment is permitted.

If the entry is a deny statement, the packet or fragment is denied.

The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and

If the entry is a permit statement, the noninitial fragment is permitted.

If the entry is a deny statement, the next access-list entry is processed.

Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.

...the fragments keyword, and assuming all of the access-list entry information matches,

Note The access-list entry is applied only to noninitial fragments. The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.


Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.

Note The fragments keyword cannot solve all cases involving access lists and IP fragments.

Fragments and Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.

Examples

The following example sets a deny condition for a standard access list named Internetfilter: 

ip access-list standard Internetfilter

 deny 192.5.34.0  0.0.0.255

 permit 128.88.0.0  0.0.255.255

 permit 36.0.0.0  0.255.255.255

! (Note: all other access implicitly denied)

The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.: 

time-range no-http

 periodic weekdays 8:00 to 18:00

!

ip access-list extended strict

 deny tcp any any eq http time-range no-http

!

interface ethernet 0

 ip access-group strict in

The following example adds an entry with the sequence number 25 to extended IP access list 150: 

Router(config)# ip access-list extended 150

Router(config-std-nacl)# 25 deny ip host 3.3.3.3 host 45.5.5.34

The following example removes the entry with the sequence number 25 from the standard access list example shown above: 

Router(config-std-nacl)# no 25

Related Commands

Command
Description

access-list (IP extended)

Defines an extended IP access list.

access-list (IP extended)

Defines a standard IP access list.

ip access-group

Controls access to an interface.

ip access-list

Defines an IP access list by name.

ip access-list log-update

Sets the threshold number of packets that cause a logging message.

ip access-list resequence

Applies sequence numbers to the access list entries in an access list.

permit (IP)

Sets conditions under which a packet passes a named IP access list.

remark

Writes a helpful comment (remark) for an entry in a named IP access list.

show ip access-list

Displays the contents of all current IP access lists.

time-range

Specifies when an access list or other feature is in effect.


dns-server

To specify the Domain Name System (DNS) IP servers available to a Dynamic Host Configuration Protocol (DHCP) client, use the dns-server command in DHCP pool configuration mode. To remove the DNS server list, use the no form of this command.

dns-server address [address2...address8]

no dns-server

Syntax Description

address

The IP address of a DNS server. One IP address is required, although you can specify up to eight addresses in one command line.

address2...address8

(Optional) Specifies up to eight addresses in the command line.


Defaults

If DNS IP servers are not configured for a DHCP client, the client cannot correlate host names to IP addresses.

Command Modes

DHCP pool configuration

Command History

Release
Modification

12.0(1)T

This command was introduced.


Usage Guidelines

Servers are listed in order of preference (address1 is the most preferred server, address2 is the next most preferred server, and so on).

Examples

The following example specifies 10.12.1.99 as the IP address of the domain name server of the client: 

dns-server 10.12.1.99

Related Commands

Command
Description

domain-name (DHCP)

Specifies the domain name for a DHCP client.

ip dhcp pool

Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.


domain-name (DHCP)

To specify the domain name for a Dynamic Host Configuration Protocol (DHCP) client, use the domain-name command in DHCP pool configuration mode. To remove the domain name, use the no form of this command.

domain-name domain

no domain-name

Syntax Description

domain

Specifies the domain name string of the client.


Defaults

No default behavior or values.

Command Modes

DHCP pool configuration

Command History

Release
Modification

12.0(1)T

This command was introduced.


Examples

The following example specifies cisco.com as the domain name of the client: 

domain-name cisco.com

Related Commands

Command
Description

dns-server

Specifies the DNS IP servers available to a DHCP client.

ip dhcp pool

Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.


dynamic

To define a named dynamic IP access list, use the dynamic command in access-list configuration mode. To remove the access lists, use the no form of this command.

dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [fragments]

no dynamic dynamic-name

Internet Control Message Protocol (ICMP)

dynamic dynamic-name [timeout minutes] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [fragments]

Internet Group Management Protocol (IGMP)

dynamic dynamic-name [timeout minutes] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [fragments]

Transmission Control Protocol (TCP)

dynamic dynamic-name [timeout minutes] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [fragments]

User Datagram Protocol (UDP)

dynamic dynamic-name [timeout minutes] {deny | permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [fragments]

Syntax Description

dynamic-name

Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.

timeout minutes

(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

protocol

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted decimal format.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

Use a 32-bit quantity in four-part, dotted decimal format.

Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7, or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines."

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

fragments

(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.


Defaults

An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.

Command Modes

Access-list configuration

Command History

Release
Modification

11.2

This command was introduced.

12.0(11)

The fragments keyword was added.

12.2(13)T

The igrp keyword was removed because the IGRP protocol is no longer available in Cisco IOS software.


Usage Guidelines

You can use named access lists to control the transmission of packets on an interface and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control vty access or restrict the contents of routing updates must not match against the TCP source port, the ToS value, or the precedence of the packet.

Caution Named IP access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.

Note After an access list is created, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.

The following is a list of precedence names:

critical

flash

flash-override

immediate

internet

network

priority

routine

The following is a list of ToS names:

max-reliability

max-throughput

min-delay

min-monetary-cost

normal

The following is a list of ICMP message type names and ICMP message type and code names:

administratively-prohibited

alternate-address

conversion-error

dod-host-prohibited

dod-net-prohibited

echo

echo-reply

general-parameter-problem

host-isolated

host-precedence-unreachable

host-redirect

host-tos-redirect

host-tos-unreachable

host-unknown

host-unreachable

information-reply

information-request

mask-reply

mask-request

mobile-redirect

net-redirect

net-tos-redirect

net-tos-unreachable

net-unreachable

network-unknown

no-room-for-option

option-missing

packet-too-big

parameter-problem

port-unreachable

precedence-unreachable

protocol-unreachable

reassembly-timeout

redirect

router-advertisement

router-solicitation

source-quench

source-route-failed

time-exceeded

timestamp-reply

timestamp-request

traceroute

ttl-exceeded

unreachable

The following is a list of IGMP message names:

dvmrp

host-query

host-report

pim

trace

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

bgp

chargen

daytime

discard

domain

echo

finger

ftp

ftp-data

gopher

hostname

irc

klogin

kshell

lpd

nntp

pop2

pop3

smtp

sunrpc

syslog

tacacs-ds

talk

telnet

time

uucp

whois

www

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

biff

bootpc

bootps

discard

dns

dnsix

echo

mobile-ip

nameserver

netbios-dgm

netbios-ns

ntp

rip

snmp

snmptrap

sunrpc

syslog

tacacs-ds

talk

tftp

time

who

xdmcp

Access List Processing of Fragments

The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:

If the Access-List Entry has...
Then..

...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,

For an access-list entry containing only Layer 3 information:

The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information:

The entry is applied to nonfragmented packets and initial fragments.

If the entry is a permit statement, the packet or fragment is permitted.

If the entry is a deny statement, the packet or fragment is denied.

The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and

If the entry is a permit statement, the noninitial fragment is permitted.

If the entry is a deny statement, the next access-list entry is processed.